path: root/include/conntrackd.h
diff options
authorPablo Neira Ayuso <>2011-12-19 17:13:25 +0100
committerPablo Neira Ayuso <>2012-01-10 01:54:45 +0100
commit79a777c60cfe02197c135adcc4edb2f63ae9a695 (patch)
treecaf3edaa42b488601d829c70105185dbd9c603dd /include/conntrackd.h
parenteb31a0c3eb9db28e673587d4614662645a10cffa (diff)
conntrackd: support for expectation synchronization
This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address ( and that are used by the client. These firewalls protect one FTP server ( that will be accessed by one client. In ASCII art, it looks like this: eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- \ / fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s -d -j SNAT --to-source -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src= dst= sport=0 dport=41739 mask-src= mask-dst= sport=0 dport=65535 master-src= master-dst= sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src= dst= sport=0 dport=41739 mask-src= mask-dst= sport=0 dport=65535 master-src= master-dst= sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 41739 (UNKNOWN) [] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'include/conntrackd.h')
1 files changed, 19 insertions, 0 deletions
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 697d3d7..8baa088 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -37,6 +37,16 @@
#define CT_FLUSH_EXT_CACHE 34 /* flush external cache */
#define STATS_PROCESS 35 /* child process stats */
#define STATS_QUEUE 36 /* queue stats */
+#define EXP_STATS 37 /* dump statistics */
+#define EXP_FLUSH_MASTER 38 /* flush kernel expect table */
+#define EXP_RESYNC_MASTER 39 /* resync with kernel exp table */
+#define EXP_DUMP_INTERNAL 40 /* dump internal expect cache */
+#define EXP_DUMP_EXTERNAL 41 /* dump external expect cache */
+#define EXP_COMMIT 42 /* commit expectations */
+#define ALL_FLUSH_MASTER 43 /* flush all kernel tables */
+#define ALL_RESYNC_MASTER 44 /* resync w/all kernel tables */
+#define ALL_FLUSH_CACHE 45 /* flush all caches */
+#define ALL_COMMIT 46 /* commit all tables */
#define DEFAULT_CONFIGFILE "/etc/conntrackd/conntrackd.conf"
#define DEFAULT_LOCKFILE "/var/lock/conntrackd.lock"
@@ -56,6 +66,7 @@
#define CTD_SYNC_ALARM (1UL << 3)
#define CTD_SYNC_NOTRACK (1UL << 4)
#define CTD_POLL (1UL << 5)
+#define CTD_EXPECT (1UL << 6)
/* FILENAME_MAX is 4096 on my system, perhaps too much? */
@@ -105,6 +116,8 @@ struct ct_conf {
int tcp_window_tracking;
} sync;
struct {
+ int subsys_id;
+ int groups;
int events_reliable;
} netlink;
struct {
@@ -130,6 +143,7 @@ struct ct_general_state {
struct local_server local;
struct ct_mode *mode;
struct ct_filter *us_filter;
+ struct exp_filter *exp_filter;
struct nfct_handle *event; /* event handler */
struct nfct_filter *filter; /* event filter */
@@ -177,6 +191,10 @@ struct ct_general_state {
} stats;
+struct commit_runqueue {
+ int (*cb)(struct nfct_handle *h, int step);
#define STATE_SYNC(x) state.sync->x
struct ct_sync_state {
@@ -196,6 +214,7 @@ struct ct_sync_state {
struct nfct_handle *h;
struct evfd *evfd;
int current;
+ struct commit_runqueue rq[2];
struct {
int ok;
int fail;